In the wake of the October 2010 release of Firesheep many social media websites are stepping up their security. Firesheep is a simple-to-use user account hijacking tool which can give attackers temporary full access to accounts from many of the most popular social media websites. Social media sites like Facebook, Twitter, Gmail, Hotmail, Flickr and WordPress, have begun to add full end-to-end encryption.
George Ou at Digital Society tracks SSL implementations on web-sites and has created an online services report card. The report card grades the way that social media sites implement full end-to-end encryption, and what generic protocols are deemed safe. The latest report card looks like this:
The table from Digital Society indicated that only Gmail.com and WordPress free hosting site get an “A” and are fully impervious to partial and full sidejacking and full hijacking of HTTP sessions. The report card gives Facebook, Twitter and Microsoft’s Hotmail failing grades. The bottom part of the table refers to generic protocols that are commonly used by computers and smartphones. The majority of devices use unsafe versions of protocols according to Digital Society.
Microsoft (MSFT) has announced the general availability of the full-session SSL (HTTPS). The security upgrade has also been applied to other Live services, including SkyDrive, Photos and Devices. MSFT says to activate full session SSL (I recommend you do, especially if you ever access these services on public or shared computers), head on over to https://account.live.com/ManageSSL. After completing their form SSL is activated and all future Web connections will be protected. It’s important to note, however, that flipping the SSL switch means you won’t be able to reach your Hotmail via Windows Live Mail (desktop), the Outlook Hotmail connector, or the Windows Live app for Windows Mobile 6.5 and Symbian.
The latest Google (GOOG) site to support SSL-encrypted connections is Google’s Picasa Web. As with many other sites, though, not everything displayed on Picasa Web is encrypted. While the home page and upload form are fully encrypted, gallery pages report as being only partly encrypted. The Google Operating System blog says that many Google services now support HTTPS connections: Gmail (enabled by default), Google Reader, Google Groups, Picasa Web Albums, Google Search, Google Finance, YouTube (partly encrypted). Other services only support encrypted connections: Google Calendar, Google Docs, Google Sites, Google Health, Google Analytics, Google AdSense and AdWords, Google Web History, Google Bookmarks, Google Voice, Google Latitude, Google Checkout.
Even average users are a bit more in-tune when it comes to security and privacy on the Web today (thanks in part to the recent Firesheep threats). There’s a simple solution: browse using HTTPS when possible. The easiest way to do that is to use Mozilla Firefox and the HTTPS Everywhere from the EFF, which I use and wrote about here.
- Google to enforce SSL encryption on developer APIs (go.theregister.com)
- What is HTTPS and Advantages of it (mstechexplore.wordpress.com)
- At Google, HTTPS is the New HTTP (programmableweb.com)